From c31b6894eb78ff7223d2288bc40142e54a3ced2c Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 08:48:08 +0100 Subject: [PATCH 01/36] update libvirtd.conf-el8.erb to actually be an erb --- templates/libvirtd.conf-el8.erb | 267 +++++++++++++------------------- 1 file changed, 107 insertions(+), 160 deletions(-) diff --git a/templates/libvirtd.conf-el8.erb b/templates/libvirtd.conf-el8.erb index 92562ab..29bf3f1 100644 --- a/templates/libvirtd.conf-el8.erb +++ b/templates/libvirtd.conf-el8.erb @@ -1,6 +1,7 @@ +# This file is managed by puppet - changes will be overwritten # Master libvirt daemon configuration file # -# For further information consult https://libvirt.org/format.html +# For further information consult http://libvirt.org/format.html # # NOTE: the tests/daemon-conf regression test script requires # that each "PARAMETER = VALUE" line in this file have the parameter @@ -20,6 +21,11 @@ # # This is enabled by default, uncomment this to disable it #listen_tls = 0 +<% if @listen_tls == true -%> +listen_tls = 1 +<% elsif @listen_tls == false -%> +listen_tls = 0 +<% end -%> # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to @@ -31,6 +37,11 @@ # # This is disabled by default, uncomment this to enable it. #listen_tcp = 1 +<% if @listen_tcp == true -%> +listen_tcp = 1 +<% elsif @listen_tcp == false -%> +listen_tcp = 0 +<% end -%> @@ -38,21 +49,26 @@ # This can be a port number, or service name # #tls_port = "16514" +<% if @tls_port -%> +tls_port = "<%= @tls_port %>" +<% end -%> # Override the port for accepting insecure TCP connections # This can be a port number, or service name # #tcp_port = "16509" +<% if @tcp_port -%> +tcp_port = "<%= @tcp_port %>" +<% end -%> # Override the default configuration which binds to all network # interfaces. This can be a numeric IPv4/6 address, or hostname # -# If the libvirtd service is started in parallel with network -# startup (e.g. with systemd), binding to addresses other than -# the wildcards (0.0.0.0/::) might not be available yet. -# #listen_addr = "192.168.0.1" +<% if @listen_addr -%> +listen_addr = "<%= @listen_addr %>" +<% end -%> # Flag toggling mDNS advertizement of the libvirt service. @@ -60,14 +76,17 @@ # Alternatively can disable for all services on a host by # stopping the Avahi daemon # -# This is disabled by default, uncomment this to enable it -#mdns_adv = 1 +# This is enabled by default, uncomment this to disable it +#mdns_adv = 0 +<% if @mdns_adv == false or @mdns_adv == '0' -%> +mdns_adv = 0 +<% end -%> # Override the default mDNS advertizement name. This must be # unique on the immediate broadcast network. # # The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is substituted for the short hostname of the machine (without domain) +# is subsituted for the short hostname of the machine (without domain) # #mdns_name = "Virtualization Host Joe Demo" @@ -83,13 +102,19 @@ # # This is restricted to 'root' by default. #unix_sock_group = "libvirt" +<% if @unix_sock_group -%> +unix_sock_group = "<%= @unix_sock_group %>" +<% end -%> # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # -# Default allows any user. If setting group ownership, you may want to -# restrict this too. +# Default allows any user. If setting group ownership may want to +# restrict this to: #unix_sock_ro_perms = "0777" +<% if @unix_sock_ro_perms -%> +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" +<% end -%> # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs @@ -98,19 +123,17 @@ # the default will change to allow everyone (eg, 0777) # # If not using PolicyKit and setting group ownership for access -# control, then you may want to relax this too. +# control then you may want to relax this to: #unix_sock_rw_perms = "0770" - -# Set the UNIX socket permissions for the admin interface socket. -# -# Default allows only owner (root), do not change it unless you are -# sure to whom you are exposing the access to. -#unix_sock_admin_perms = "0700" +<% if @unix_sock_rw_perms -%> +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" +<% end -%> # Set the name of the directory in which sockets will be found/created. #unix_sock_dir = "/var/run/libvirt" - - +<% if @unix_sock_dir -%> +unix_sock_dir = "<%= @unix_sock_dir %>" +<% end -%> ################################################################# # @@ -125,7 +148,7 @@ # - sasl: use SASL infrastructure. The actual auth scheme is then # controlled from /etc/sasl2/libvirt.conf. For the TCP # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. +# For non-TCP or TLS sockets, any scheme is allowed. # # - polkit: use PolicyKit to authenticate. This is only suitable # for use on the UNIX sockets. The default policy will @@ -139,6 +162,9 @@ # To restrict monitoring of domains you may wish to enable # an authentication mechanism here #auth_unix_ro = "none" +<%- if @auth_unix_ro -%> +auth_unix_ro = "<%= @auth_unix_ro %>" +<%- end -%> # Set an authentication scheme for UNIX read-write sockets # By default socket permissions only allow root. If PolicyKit @@ -148,6 +174,9 @@ # If the unix_sock_rw_perms are changed you may wish to enable # an authentication mechanism here #auth_unix_rw = "none" +<%- if @auth_unix_rw -%> +auth_unix_rw = "<%= @auth_unix_rw %>" +<%- end -%> # Change the authentication scheme for TCP sockets. # @@ -156,6 +185,9 @@ # use, always enable SASL and use the GSSAPI or DIGEST-MD5 # mechanism in /etc/sasl2/libvirt.conf #auth_tcp = "sasl" +<% if @auth_tcp -%> +auth_tcp = "<%= @auth_tcp %>" +<% end -%> # Change the authentication scheme for TLS sockets. # @@ -165,37 +197,17 @@ # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option #auth_tls = "none" +<% if @auth_tls -%> +auth_tls = "<%= @auth_tls %>" +<% end -%> -# Change the API access control scheme -# -# By default an authenticated user is allowed access -# to all APIs. Access drivers can place restrictions -# on this. By default the 'nop' driver is enabled, -# meaning no access control checks are done once a -# client has authenticated with libvirtd -# -#access_drivers = [ "polkit" ] ################################################################# # # TLS x509 certificate configuration # -# Use of TLS requires that x509 certificates be issued. The default locations -# for the certificate files is as follows: -# -# /etc/pki/CA/cacert.pem - The CA master certificate -# /etc/pki/libvirt/servercert.pem - The server certificate signed with -# the cacert.pem -# /etc/pki/libvirt/private/serverkey.pem - The server private key -# -# It is possible to override the default locations by altering the 'key_file', -# 'cert_file', and 'ca_file' values and uncommenting them below. -# -# NB, overriding the default of one location requires uncommenting and -# possibly additionally overriding the other settings. -# # Override the default server key file path # @@ -242,7 +254,7 @@ #tls_no_verify_certificate = 1 -# A whitelist of allowed x509 Distinguished Names +# A whitelist of allowed x509 Distinguished Names # This list may contain wildcards such as # # "C=GB,ST=London,L=London,O=Red Hat,CN=*" @@ -256,7 +268,7 @@ #tls_allowed_dn_list = ["DN1", "DN2"] -# A whitelist of allowed SASL usernames. The format for username +# A whitelist of allowed SASL usernames. The format for usernames # depends on the SASL authentication mechanism. Kerberos usernames # look like username@REALM # @@ -273,13 +285,6 @@ #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] -# Override the compile time default TLS priority string. The -# default is usually "NORMAL" unless overridden at build time. -# Only set this is it is desired for libvirt to deviate from -# the global default settings. -# -#tls_priority="NORMAL" - ################################################################# # @@ -288,22 +293,12 @@ # The maximum number of concurrent client connections to allow # over all sockets combined. -#max_clients = 5000 - -# The maximum length of queue of connections waiting to be -# accepted by the daemon. Note, that some protocols supporting -# retransmission may obey this so that a later reattempt at -# connection succeeds. -#max_queued_clients = 1000 +#max_clients = 20 -# The maximum length of queue of accepted but not yet -# authenticated clients. The default value is 20. Set this to -# zero to turn this feature off. -#max_anonymous_clients = 20 # The minimum limit sets the number of workers to start up # initially. If the number of active clients exceeds this, -# then more threads are spawned, up to max_workers limit. +# then more threads are spawned, upto max_workers limit. # Typically you'd want max_workers to equal maximum number # of clients allowed #min_workers = 5 @@ -311,26 +306,26 @@ # The number of priority workers. If all workers from above -# pool are stuck, some calls marked as high priority +# pool will stuck, some calls marked as high priority # (notably domainDestroy) can be executed in this pool. #prio_workers = 5 +# Total global limit on concurrent RPC calls. Should be +# at least as large as max_workers. Beyond this, RPC requests +# will be read into memory and queued. This directly impact +# memory usage, currently each request requires 256 KB of +# memory. So by default upto 5 MB of memory is used +# +# XXX this isn't actually enforced yet, only the per-client +# limit is used so far +#max_requests = 20 + # Limit on concurrent requests from a single client # connection. To avoid one client monopolizing the server -# this should be a small fraction of the global max_workers -# parameter. +# this should be a small fraction of the global max_requests +# and max_workers parameter #max_client_requests = 5 -# Same processing controls, but this time for the admin interface. -# For description of each option, be so kind to scroll few lines -# upwards. - -#admin_min_workers = 1 -#admin_max_workers = 5 -#admin_max_clients = 5 -#admin_max_queued_clients = 5 -#admin_max_client_requests = 5 - ################################################################# # # Logging controls @@ -338,79 +333,54 @@ # Logging level: 4 errors, 3 warnings, 2 information, 1 debug # basically 1 will log everything possible -# -# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. -# -# WARNING: It outputs too much information to practically read. -# WARNING: The "log_filters" setting is recommended instead. -# -# WARNING: Journald applies rate limiting of messages and so libvirt -# WARNING: will limit "log_level" to only allow values 3 or 4 if -# WARNING: journald is the current output. -# -# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. #log_level = 3 # Logging filters: # A filter allows to select a different logging level for a given category -# of logs. The format for a filter is one of: -# -# level:match -# level:+match -# -# where 'match' is a string which is matched against the category -# given in the VIR_LOG_INIT() at the top of each libvirt source -# file, e.g., "remote", "qemu", or "util.json". The 'match' in the -# filter matches using shell wildcard syntax (see 'man glob(7)'). -# The 'match' is always treated as a substring match. IOW a match -# string 'foo' is equivalent to '*foo*'. -# -# If 'match' contains the optional "+" prefix, it tells libvirt -# to log stack trace for each message matching name. -# -# 'level' is the minimal level where matching messages should -# be logged: -# +# of logs +# The format for a filter is: +# x:name +# where name is a match string e.g. remote or qemu +# the x prefix is the minimal level where matching messages should be logged # 1: DEBUG # 2: INFO # 3: WARNING # 4: ERROR # -# Multiple filters can be defined in a single @log_filters, they just need -# to be separated by spaces. Note that libvirt performs "first" match, i.e. -# if there are concurrent filters, the first one that matches will be applied, -# given the order in @log_filters. +# Multiple filter can be defined in a single @filters, they just need to be +# separated by spaces. # -# A typical need is to capture information from a hypervisor driver, -# public API entrypoints and some of the utility code. Some utility -# code is very verbose and is generally not desired. Taking the QEMU -# hypervisor as an example, a suitable filter string for debugging -# might be to turn off object, json & event logging, but enable the -# rest of the util code: -# -#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" +# e.g: +# log_filters="3:remote 4:event" +# to only get warning or errors from the remote layer and only errors from +# the event layer. # Logging outputs: # An output is one of the places to save logging information # The format for an output can be: -# level:stderr +# x:stderr # output goes to stderr -# level:syslog:name +# x:syslog:name # use syslog for the output and use the given name as the ident -# level:file:file_path +# x:file:file_path # output to a file, with the given filepath -# level:journald -# output to journald logging system -# In all cases 'level' is the minimal priority, acting as a filter +# In all case the x prefix is the minimal level, acting as a filter # 1: DEBUG # 2: INFO # 3: WARNING # 4: ERROR # -# Multiple outputs can be defined, they just need to be separated by spaces. -# e.g. to log all warnings and errors to syslog under the libvirtd ident: -#log_outputs="3:syslog:libvirtd" -# +# Multiple output can be defined, they just need to be separated by spaces. +# e.g.: +# log_outputs="3:syslog:libvirtd" +# to log all warnings and errors to syslog under the libvirtd ident + +# Log debug buffer size: default 64 +# The daemon keeps an internal debug log buffer which will be dumped in case +# of crash or upon receiving a SIGUSR2 signal. This setting allows to override +# the default buffer size in kilobytes. +# If value is 0 or less the debug log buffer is deactivated +#log_buffer_size = 64 ################################################################## @@ -432,16 +402,10 @@ ################################################################### # UUID of the host: -# Host UUID is read from one of the sources specified in host_uuid_source. -# -# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' -# - 'machine-id': fetch the UUID from /etc/machine-id -# -# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide -# a valid UUID a temporary UUID will be generated. -# -# Another option is to specify host UUID in host_uuid. -# +# Provide the UUID of the host here in case the command +# 'dmidecode -s system-uuid' does not provide a valid uuid. In case +# 'dmidecode' does not provide a valid UUID and none is provided here, a +# temporary UUID will be generated. # Keep the format of the example UUID below. UUID must not have all digits # be the same. @@ -449,12 +413,11 @@ # it with the output of the 'uuidgen' command and then # uncomment this entry #host_uuid = "00000000-0000-0000-0000-000000000000" -#host_uuid_source = "smbios" ################################################################### # Keepalive protocol: # This allows libvirtd to detect broken client connections or even -# dead clients. A keepalive message is sent to a client after +# dead client. A keepalive message is sent to a client after # keepalive_interval seconds of inactivity to check if the client is # still responding; keepalive_count is a maximum number of keepalive # messages that are allowed to be sent to the client without getting @@ -463,31 +426,15 @@ # keepalive_interval * (keepalive_count + 1) seconds since the last # message received from the client. If keepalive_interval is set to # -1, libvirtd will never send keepalive requests; however clients -# can still send them and the daemon will send responses. When +# can still send them and the deamon will send responses. When # keepalive_count is set to 0, connections will be automatically # closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. +# sending any keepalive messages. Disabled by default. # #keepalive_interval = 5 #keepalive_count = 5 - # -# These configuration options are no longer used. There is no way to -# restrict such clients from connecting since they first need to -# connect in order to ask for keepalive. +# If set to 1, libvirtd will refuse to talk to clients that do not +# support keepalive protocol. Defaults to 0. # #keepalive_required = 1 -#admin_keepalive_required = 1 - -# Keepalive settings for the admin interface -#admin_keepalive_interval = 5 -#admin_keepalive_count = 5 - -################################################################### -# Open vSwitch: -# This allows to specify a timeout for openvswitch calls made by -# libvirt. The ovs-vsctl utility is used for the configuration and -# its timeout option is set by default to 5 seconds to avoid -# potential infinite waits blocking libvirt. -# -#ovs_timeout = 5 From b20b5420f0abb288bc56197f9d3edf06299103d9 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 08:49:22 +0100 Subject: [PATCH 02/36] include managed by puppet header in erb --- templates/libvirtd.conf-el8.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/libvirtd.conf-el8.erb b/templates/libvirtd.conf-el8.erb index 29bf3f1..f86d232 100644 --- a/templates/libvirtd.conf-el8.erb +++ b/templates/libvirtd.conf-el8.erb @@ -1,4 +1,5 @@ # This file is managed by puppet - changes will be overwritten +# # Master libvirt daemon configuration file # # For further information consult http://libvirt.org/format.html From f38589affc776f2afd251cd25eebdcf425f1bfa8 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 09:04:27 +0100 Subject: [PATCH 03/36] set listen_tcp listen_tls to Deb and RHEL default --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index eb4367b..4f64462 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,8 +33,8 @@ $sysconfig = $::libvirt::params::sysconfig, $deb_default = $::libvirt::params::deb_default, # libvirtd.conf options - $listen_tls = undef, - $listen_tcp = undef, + $listen_tls = true, + $listen_tcp = false, $tls_port = undef, $tcp_port = undef, $listen_addr = undef, From c7fc9a73a7dd617fbf863fb6d37b7426b916ba83 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 09:09:47 +0100 Subject: [PATCH 04/36] set tls_port, tcp_port to Deb/RHEL defaults --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4f64462..96499b6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -35,8 +35,8 @@ # libvirtd.conf options $listen_tls = true, $listen_tcp = false, - $tls_port = undef, - $tcp_port = undef, + $tls_port = 16514, + $tcp_port = 16509, $listen_addr = undef, $mdns_adv = undef, $auth_tcp = undef, From 203f373e1fe01a5d8e0f28ba0bb74c0aa77a385c Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 09:42:34 +0100 Subject: [PATCH 05/36] add mdns_name param, maps to fqdn fact --- manifests/init.pp | 1 + manifests/params.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 96499b6..bcea62b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,6 +39,7 @@ $tcp_port = 16509, $listen_addr = undef, $mdns_adv = undef, + $mdns_name = $::libvirt::params::mdns_name, $auth_tcp = undef, $auth_tls = undef, $unix_sock_group = $::libvirt::params::unix_sock_group, diff --git a/manifests/params.pp b/manifests/params.pp index 1614866..ff6fa44 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -57,6 +57,7 @@ $unix_sock_rw_perms = false $auth_unix_rw = false $unix_sock_group = false + $mdns_name = "${facts['fqdn']} libvirt hypervisor" } } From 8108cff503518a9c6ef444f46e6a4afd1b669a35 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 12:28:55 +0100 Subject: [PATCH 06/36] move mdns_name out of case statement and corrected fact --- manifests/params.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index ff6fa44..1ec224f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -57,10 +57,12 @@ $unix_sock_rw_perms = false $auth_unix_rw = false $unix_sock_group = false - $mdns_name = "${facts['fqdn']} libvirt hypervisor" } } + + $mdns_name = "${facts['networking']['fqdn']} libvirt hypervisor" + $default_dhcp = { 'start' => '192.168.122.2', 'end' => '192.168.122.254', From 10c82819d1a21041c81f0e3370bb22cad40c6692 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 12:52:48 +0100 Subject: [PATCH 07/36] set unix_sock_group to rhel and deb defaults --- manifests/params.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 1ec224f..c27f9e0 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -23,7 +23,7 @@ $auth_unix_ro = false $unix_sock_rw_perms = false $auth_unix_rw = false - $unix_sock_group = false + $unix_sock_group = root } 'Debian': { $libvirt_package = 'libvirt-bin' @@ -56,7 +56,7 @@ $auth_unix_ro = false $unix_sock_rw_perms = false $auth_unix_rw = false - $unix_sock_group = false + $unix_sock_group = root } } From 440cd453b0f30c3e31ac24170327e1c4180071a1 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 12:55:22 +0100 Subject: [PATCH 08/36] set unix_sock_ro_perms to RHEL/Deb default --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index bcea62b..51fef28 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -43,7 +43,7 @@ $auth_tcp = undef, $auth_tls = undef, $unix_sock_group = $::libvirt::params::unix_sock_group, - $unix_sock_ro_perms = undef, + $unix_sock_ro_perms = 0777, $auth_unix_ro = $::libvirt::params::auth_unix_ro, $unix_sock_rw_perms = $::libvirt::params::unix_sock_rw_perms, $auth_unix_rw = $::libvirt::params::auth_unix_rw, From f7af2232624d01085391b54016b5ad33474306b0 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 13:09:58 +0100 Subject: [PATCH 09/36] set unix_sock_rw_perms to RHEL/Deb defaults --- manifests/params.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index c27f9e0..30913cb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -21,7 +21,7 @@ $sysconfig = {} $deb_default = false $auth_unix_ro = false - $unix_sock_rw_perms = false + $unix_sock_rw_perms = '0770' $auth_unix_rw = false $unix_sock_group = root } @@ -54,7 +54,7 @@ $sysconfig = false $deb_default = false $auth_unix_ro = false - $unix_sock_rw_perms = false + $unix_sock_rw_perms = '0770' $auth_unix_rw = false $unix_sock_group = root } From 54de1fc5468cd3df808d446b0ce1ceebb3456cee Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 13:16:25 +0100 Subject: [PATCH 10/36] set unix_sock_dir to RHEL/Deb defaults --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 51fef28..c2514cd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,7 +47,7 @@ $auth_unix_ro = $::libvirt::params::auth_unix_ro, $unix_sock_rw_perms = $::libvirt::params::unix_sock_rw_perms, $auth_unix_rw = $::libvirt::params::auth_unix_rw, - $unix_sock_dir = undef, + $unix_sock_dir = '/run/libvirt', # qemu.conf options $qemu_vnc_listen = undef, $qemu_vnc_sasl = undef, From 050afdc3e4f3f93d6b978d45e89e62e377097ed3 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 13:55:02 +0100 Subject: [PATCH 11/36] set auth_unix_ro to RHEL/Deb defaults --- manifests/params.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 30913cb..993e227 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -20,7 +20,7 @@ $radvd_package = 'radvd' $sysconfig = {} $deb_default = false - $auth_unix_ro = false + $auth_unix_ro = 'polkit' $unix_sock_rw_perms = '0770' $auth_unix_rw = false $unix_sock_group = root @@ -32,7 +32,7 @@ $sysconfig = false $deb_default = {} # UNIX socket - $auth_unix_ro = 'none' + $auth_unix_ro = 'polkit' $unix_sock_rw_perms = '0770' $auth_unix_rw = 'none' case $facts['os']['name'] { @@ -53,7 +53,7 @@ $radvd_package = 'radvd' $sysconfig = false $deb_default = false - $auth_unix_ro = false + $auth_unix_ro = 'polkit' $unix_sock_rw_perms = '0770' $auth_unix_rw = false $unix_sock_group = root From 9c8b567d2ed16013d8249f53f728634a49c35e80 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 13:57:10 +0100 Subject: [PATCH 12/36] set auth_unix_rw to RHEL/Deb defaults --- manifests/params.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 993e227..10d7f17 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -22,7 +22,7 @@ $deb_default = false $auth_unix_ro = 'polkit' $unix_sock_rw_perms = '0770' - $auth_unix_rw = false + $auth_unix_rw = 'polkit' $unix_sock_group = root } 'Debian': { @@ -34,7 +34,7 @@ # UNIX socket $auth_unix_ro = 'polkit' $unix_sock_rw_perms = '0770' - $auth_unix_rw = 'none' + $auth_unix_rw = 'polkit' case $facts['os']['name'] { 'Ubuntu', 'LinuxMint': { $libvirt_service = 'libvirt-bin' @@ -55,7 +55,7 @@ $deb_default = false $auth_unix_ro = 'polkit' $unix_sock_rw_perms = '0770' - $auth_unix_rw = false + $auth_unix_rw = 'polkit' $unix_sock_group = root } } From 76f430bbd5fa15bdd43b42b76a36f368ff7db8bd Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 14:00:48 +0100 Subject: [PATCH 13/36] set auth_tcp auth_tls to RHEL/Deb default --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index c2514cd..dea9dfc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,8 +40,8 @@ $listen_addr = undef, $mdns_adv = undef, $mdns_name = $::libvirt::params::mdns_name, - $auth_tcp = undef, - $auth_tls = undef, + $auth_tcp = sasl, + $auth_tls = 'none', $unix_sock_group = $::libvirt::params::unix_sock_group, $unix_sock_ro_perms = 0777, $auth_unix_ro = $::libvirt::params::auth_unix_ro, From 431dca469211af01c3d5b4b220ccc678d4d7ff89 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 14:18:03 +0100 Subject: [PATCH 14/36] new param access_drivers to RHEL/Deb defaults --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index dea9dfc..31b84f8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -48,6 +48,7 @@ $unix_sock_rw_perms = $::libvirt::params::unix_sock_rw_perms, $auth_unix_rw = $::libvirt::params::auth_unix_rw, $unix_sock_dir = '/run/libvirt', + $access_drivers = 'nop', # qemu.conf options $qemu_vnc_listen = undef, $qemu_vnc_sasl = undef, From d91475a808801167bf308d50ed1c91fed01fe562 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 14:28:26 +0100 Subject: [PATCH 15/36] new param tcp_min_ssf set RHEL/Deb default --- manifests/init.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 31b84f8..69222ef 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -35,18 +35,19 @@ # libvirtd.conf options $listen_tls = true, $listen_tcp = false, - $tls_port = 16514, - $tcp_port = 16509, + $tls_port = '16514', + $tcp_port = '16509', $listen_addr = undef, $mdns_adv = undef, $mdns_name = $::libvirt::params::mdns_name, $auth_tcp = sasl, $auth_tls = 'none', $unix_sock_group = $::libvirt::params::unix_sock_group, - $unix_sock_ro_perms = 0777, + $unix_sock_ro_perms = '0777', $auth_unix_ro = $::libvirt::params::auth_unix_ro, $unix_sock_rw_perms = $::libvirt::params::unix_sock_rw_perms, $auth_unix_rw = $::libvirt::params::auth_unix_rw, + $tcp_min_ssf = '112', $unix_sock_dir = '/run/libvirt', $access_drivers = 'nop', # qemu.conf options From b20ff437b2ee21ac0d48c98d7911c17ac92be0cf Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 15:23:10 +0100 Subject: [PATCH 16/36] update erb to align to el8 template --- templates/libvirtd.conf.erb | 80 ++++++++++++++----------------------- 1 file changed, 30 insertions(+), 50 deletions(-) diff --git a/templates/libvirtd.conf.erb b/templates/libvirtd.conf.erb index 1ed9e3f..efbc6d2 100644 --- a/templates/libvirtd.conf.erb +++ b/templates/libvirtd.conf.erb @@ -1,10 +1,6 @@ +# This file is managed by puppet - changes will be overwritten + # Master libvirt daemon configuration file -# -# For further information consult http://libvirt.org/format.html -# -# NOTE: the tests/daemon-conf regression test script requires -# that each "PARAMETER = VALUE" line in this file have the parameter -# name just after a leading "#". ################################################################# # @@ -18,8 +14,7 @@ # It is necessary to setup a CA and issue server certificates before # using this capability. # -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 +# This is enabled by default <% if @listen_tls == true -%> listen_tls = 1 <% elsif @listen_tls == false -%> @@ -27,58 +22,54 @@ listen_tls = 0 <% end -%> # Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. +# +# To enable listening sockets with the 'libvirtd' daemon it's also required to +# pass the '--listen' flag on the commandline of the daemon. +# This is not needed with 'virtproxyd'. +# +# This setting is not required or honoured if using systemd socket +# activation. # # Using the TCP socket requires SASL authentication by default. Only # SASL mechanisms which support data encryption are allowed. This is # DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -#listen_tcp = 1 + +# This is disabled by default <% if @listen_tcp == true -%> listen_tcp = 1 <% elsif @listen_tcp == false -%> listen_tcp = 0 <% end -%> - - -# Override the port for accepting secure TLS connections # This can be a port number, or service name -# -#tls_port = "16514" <% if @tls_port -%> tls_port = "<%= @tls_port %>" <% end -%> -# Override the port for accepting insecure TCP connections # This can be a port number, or service name -# -#tcp_port = "16509" <% if @tcp_port -%> tcp_port = "<%= @tcp_port %>" <% end -%> - # Override the default configuration which binds to all network # interfaces. This can be a numeric IPv4/6 address, or hostname # -#listen_addr = "192.168.0.1" <% if @listen_addr -%> listen_addr = "<%= @listen_addr %>" +<% else -%> +#listen_addr = "192.168.0.1" <% end -%> - # Flag toggling mDNS advertizement of the libvirt service. # # Alternatively can disable for all services on a host by # stopping the Avahi daemon # # This is enabled by default, uncomment this to disable it -#mdns_adv = 0 <% if @mdns_adv == false or @mdns_adv == '0' -%> mdns_adv = 0 +<% else -%> +#mdns_adv = 0 <% end -%> # Override the default mDNS advertizement name. This must be @@ -87,7 +78,7 @@ mdns_adv = 0 # The default is "Virtualization Host HOSTNAME", where HOSTNAME # is subsituted for the short hostname of the machine (without domain) # -#mdns_name = "Virtualization Host Joe Demo" +mdns_name = "<%= @mdns_name %>" ################################################################# @@ -100,20 +91,14 @@ mdns_adv = 0 # without becoming root. # # This is restricted to 'root' by default. -#unix_sock_group = "libvirt" -<% if @unix_sock_group -%> unix_sock_group = "<%= @unix_sock_group %>" -<% end -%> # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # # Default allows any user. If setting group ownership may want to # restrict this to: -#unix_sock_ro_perms = "0777" -<% if @unix_sock_ro_perms -%> unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" -<% end -%> # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs @@ -123,16 +108,10 @@ unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" # # If not using PolicyKit and setting group ownership for access # control then you may want to relax this to: -#unix_sock_rw_perms = "0770" -<% if @unix_sock_rw_perms -%> unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" -<% end -%> # Set the name of the directory in which sockets will be found/created. -#unix_sock_dir = "/var/run/libvirt" -<% if @unix_sock_dir -%> unix_sock_dir = "<%= @unix_sock_dir %>" -<% end -%> ################################################################# # @@ -160,10 +139,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # # To restrict monitoring of domains you may wish to enable # an authentication mechanism here -#auth_unix_ro = "none" -<%- if @auth_unix_ro -%> auth_unix_ro = "<%= @auth_unix_ro %>" -<%- end -%> # Set an authentication scheme for UNIX read-write sockets # By default socket permissions only allow root. If PolicyKit @@ -172,10 +148,7 @@ auth_unix_ro = "<%= @auth_unix_ro %>" # # If the unix_sock_rw_perms are changed you may wish to enable # an authentication mechanism here -#auth_unix_rw = "none" -<%- if @auth_unix_rw -%> auth_unix_rw = "<%= @auth_unix_rw %>" -<%- end -%> # Change the authentication scheme for TCP sockets. # @@ -183,10 +156,7 @@ auth_unix_rw = "<%= @auth_unix_rw %>" # Don't do this outside of a dev/test scenario. For real world # use, always enable SASL and use the GSSAPI or DIGEST-MD5 # mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" -<% if @auth_tcp -%> auth_tcp = "<%= @auth_tcp %>" -<% end -%> # Change the authentication scheme for TLS sockets. # @@ -195,11 +165,21 @@ auth_tcp = "<%= @auth_tcp %>" # # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option -#auth_tls = "none" -<% if @auth_tls -%> auth_tls = "<%= @auth_tls %>" -<% end -%> +# This option can be used to set values higher than defaut 112 +tcp_min_ssf = "<%= @tcp_min_ssf %>" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# target option is polkit +access_drivers = [ "<%= @access_drivers %>" ] ################################################################# From c025eeed5309475e24b7574648fd521bf0b060dd Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 15:23:42 +0100 Subject: [PATCH 17/36] create functional libvirtd erb supported EL8-9-10 --- templates/libvirtd.conf-el8.erb | 75 ++++++++++++--------------------- 1 file changed, 27 insertions(+), 48 deletions(-) diff --git a/templates/libvirtd.conf-el8.erb b/templates/libvirtd.conf-el8.erb index f86d232..4092e25 100644 --- a/templates/libvirtd.conf-el8.erb +++ b/templates/libvirtd.conf-el8.erb @@ -1,12 +1,6 @@ # This file is managed by puppet - changes will be overwritten -# + # Master libvirt daemon configuration file -# -# For further information consult http://libvirt.org/format.html -# -# NOTE: the tests/daemon-conf regression test script requires -# that each "PARAMETER = VALUE" line in this file have the parameter -# name just after a leading "#". ################################################################# # @@ -14,14 +8,17 @@ # # Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. +# To enable listening sockets with the 'libvirtd' daemon it's also required to +# pass the '--listen' flag on the commandline of the daemon. +# This is not needed with 'virtproxyd'. +# +# This setting is not required or honoured if using systemd socket +# activation. # # It is necessary to setup a CA and issue server certificates before # using this capability. # -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 +# This is enabled by default. <% if @listen_tls == true -%> listen_tls = 1 <% elsif @listen_tls == false -%> @@ -36,7 +33,7 @@ listen_tls = 0 # SASL mechanisms which support data encryption are allowed. This is # DIGEST_MD5 and GSSAPI (Kerberos5) # -# This is disabled by default, uncomment this to enable it. +# This is disabled by default, #listen_tcp = 1 <% if @listen_tcp == true -%> listen_tcp = 1 @@ -44,31 +41,23 @@ listen_tcp = 1 listen_tcp = 0 <% end -%> - - -# Override the port for accepting secure TLS connections # This can be a port number, or service name -# -#tls_port = "16514" <% if @tls_port -%> tls_port = "<%= @tls_port %>" <% end -%> -# Override the port for accepting insecure TCP connections # This can be a port number, or service name -# -#tcp_port = "16509" <% if @tcp_port -%> tcp_port = "<%= @tcp_port %>" <% end -%> - # Override the default configuration which binds to all network # interfaces. This can be a numeric IPv4/6 address, or hostname # -#listen_addr = "192.168.0.1" <% if @listen_addr -%> listen_addr = "<%= @listen_addr %>" +<% else -%> +#listen_addr = "192.168.0.1" <% end -%> @@ -78,9 +67,10 @@ listen_addr = "<%= @listen_addr %>" # stopping the Avahi daemon # # This is enabled by default, uncomment this to disable it -#mdns_adv = 0 <% if @mdns_adv == false or @mdns_adv == '0' -%> mdns_adv = 0 +<% else -%> +#mdns_adv = 0 <% end -%> # Override the default mDNS advertizement name. This must be @@ -89,7 +79,7 @@ mdns_adv = 0 # The default is "Virtualization Host HOSTNAME", where HOSTNAME # is subsituted for the short hostname of the machine (without domain) # -#mdns_name = "Virtualization Host Joe Demo" +mdns_name = "<%= @mdns_name %>" ################################################################# @@ -102,20 +92,14 @@ mdns_adv = 0 # without becoming root. # # This is restricted to 'root' by default. -#unix_sock_group = "libvirt" -<% if @unix_sock_group -%> unix_sock_group = "<%= @unix_sock_group %>" -<% end -%> # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # # Default allows any user. If setting group ownership may want to # restrict this to: -#unix_sock_ro_perms = "0777" -<% if @unix_sock_ro_perms -%> unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" -<% end -%> # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs @@ -125,16 +109,10 @@ unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" # # If not using PolicyKit and setting group ownership for access # control then you may want to relax this to: -#unix_sock_rw_perms = "0770" -<% if @unix_sock_rw_perms -%> unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" -<% end -%> # Set the name of the directory in which sockets will be found/created. -#unix_sock_dir = "/var/run/libvirt" -<% if @unix_sock_dir -%> unix_sock_dir = "<%= @unix_sock_dir %>" -<% end -%> ################################################################# # @@ -162,10 +140,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # # To restrict monitoring of domains you may wish to enable # an authentication mechanism here -#auth_unix_ro = "none" -<%- if @auth_unix_ro -%> auth_unix_ro = "<%= @auth_unix_ro %>" -<%- end -%> # Set an authentication scheme for UNIX read-write sockets # By default socket permissions only allow root. If PolicyKit @@ -174,10 +149,7 @@ auth_unix_ro = "<%= @auth_unix_ro %>" # # If the unix_sock_rw_perms are changed you may wish to enable # an authentication mechanism here -#auth_unix_rw = "none" -<%- if @auth_unix_rw -%> auth_unix_rw = "<%= @auth_unix_rw %>" -<%- end -%> # Change the authentication scheme for TCP sockets. # @@ -185,10 +157,7 @@ auth_unix_rw = "<%= @auth_unix_rw %>" # Don't do this outside of a dev/test scenario. For real world # use, always enable SASL and use the GSSAPI or DIGEST-MD5 # mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" -<% if @auth_tcp -%> auth_tcp = "<%= @auth_tcp %>" -<% end -%> # Change the authentication scheme for TLS sockets. # @@ -197,11 +166,21 @@ auth_tcp = "<%= @auth_tcp %>" # # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option -#auth_tls = "none" -<% if @auth_tls -%> auth_tls = "<%= @auth_tls %>" -<% end -%> +# This option can be used to set values higher than defaut 112 +tcp_min_ssf = "<%= @tcp_min_ssf %>" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# target option is polkit +access_drivers = [ "<%= @access_drivers %>" ] ################################################################# From 8956a33b3fd048b592f29695dc90eaa0aba49c55 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 20:42:06 +0100 Subject: [PATCH 18/36] delete commented parameter: dynamically generated --- templates/libvirtd.conf-el8.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/libvirtd.conf-el8.erb b/templates/libvirtd.conf-el8.erb index 4092e25..c677792 100644 --- a/templates/libvirtd.conf-el8.erb +++ b/templates/libvirtd.conf-el8.erb @@ -34,7 +34,6 @@ listen_tls = 0 # DIGEST_MD5 and GSSAPI (Kerberos5) # # This is disabled by default, -#listen_tcp = 1 <% if @listen_tcp == true -%> listen_tcp = 1 <% elsif @listen_tcp == false -%> From 4429ef68d2f749597c00b11781dd402ab4829197 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 20:50:05 +0100 Subject: [PATCH 19/36] remove quotes from tcp_min_ssf parameter --- templates/libvirtd.conf-el8.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/libvirtd.conf-el8.erb b/templates/libvirtd.conf-el8.erb index c677792..fb7c506 100644 --- a/templates/libvirtd.conf-el8.erb +++ b/templates/libvirtd.conf-el8.erb @@ -168,7 +168,7 @@ auth_tcp = "<%= @auth_tcp %>" auth_tls = "<%= @auth_tls %>" # This option can be used to set values higher than defaut 112 -tcp_min_ssf = "<%= @tcp_min_ssf %>" +tcp_min_ssf = <%= @tcp_min_ssf %> # Change the API access control scheme From 065d6d59333ef6a194cb6771cb01d02253bbe44f Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Tue, 12 Aug 2025 20:52:50 +0100 Subject: [PATCH 20/36] update access_drivers to correct no-op default value --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 69222ef..98ea00a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,7 +49,7 @@ $auth_unix_rw = $::libvirt::params::auth_unix_rw, $tcp_min_ssf = '112', $unix_sock_dir = '/run/libvirt', - $access_drivers = 'nop', + $access_drivers = 'no-op', # qemu.conf options $qemu_vnc_listen = undef, $qemu_vnc_sasl = undef, From 3d93675e8f58635bc1d886a684c3aebdcae218b0 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 08:34:59 +0100 Subject: [PATCH 21/36] create qemu.conf erb for el 8,9,10 backward compat --- templates/qemu.conf-el.erb | 1114 ++++++++++++++++++++++++++++++++++++ 1 file changed, 1114 insertions(+) create mode 100644 templates/qemu.conf-el.erb diff --git a/templates/qemu.conf-el.erb b/templates/qemu.conf-el.erb new file mode 100644 index 0000000..3c127f7 --- /dev/null +++ b/templates/qemu.conf-el.erb @@ -0,0 +1,1114 @@ +# This file is managed by puppet, changes here will be lost # +# +# Master configuration file for the QEMU driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +#################################################################### +# This section is not under puppet control yet - future target +# ################################################################# +# Use of TLS requires that x509 certificates be issued. The default is +# to keep them in /etc/pki/qemu. This directory must contain +# +# ca-cert.pem - the CA master certificate +# server-cert.pem - the server certificate signed with ca-cert.pem +# server-key.pem - the server private key +# +# and optionally may contain +# +# dh-params.pem - the DH params configuration file +# +# If the directory does not exist, libvirtd will fail to start. If the +# directory doesn't contain the necessary files, QEMU domains will fail +# to start if they are configured to use TLS. +# +# In order to overwrite the default path alter the following. This path +# definition will be used as the default path for other *_tls_x509_cert_dir +# configuration settings if their default path does not exist or is not +# specifically set. +# +#default_tls_x509_cert_dir = "/etc/pki/qemu" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem +# +# The default_tls_x509_cert_dir directory must also contain +# +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +# If this option is supplied it provides the default for the "_verify" option +# of specific TLS users such as vnc, backups, migration, etc. The specific +# users of TLS may override this by setting the specific "_verify" option. +# +# When not supplied the specific TLS users provide their own defaults. +# +#default_tls_x509_verify = 1 + +# +# Libvirt assumes the server-key.pem file is unencrypted by default. +# To use an encrypted server-key.pem file, the password to decrypt +# the PEM file is required. This can be provided by creating a secret +# object in libvirt and then to uncomment this setting to set the UUID +# of the secret. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +################################################################## +# Puppet control starts again +# ################################################################ + + +# VNC is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, change +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +vnc_listen = "<%= @qemu_vnc_listen %>" + +# Enable this option to have VNC served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine, though most VNC clients do not support it. +# +# This will only be enabled for VNC configurations that have listen +# type=address but without any address specified. This setting takes +# preference over vnc_listen. +# +# no puppet parameter here yet +#vnc_auto_unix_socket = 1 + +# Enable use of TLS encryption on the VNC server. This requires +# a VNC client which supports the VeNCrypt protocol extension. +# Examples include vinagre, virt-viewer, virt-manager and vencrypt +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +<% if @qemu_vnc_tls == true -%> +vnc_tls = 1 +<% elsif @qemu_vnc_tls == false -%> +vnc_tls = 0 +<% end -%> + + +# In order to override the default TLS certificate location for +# vnc certificates, supply a valid path to the certificate directory. +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but vnc_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +# no puppet parameter yet +#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# no puppet parameter yet +#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# certificate (as described in default_tls_x509_verify) signed by the +# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir). +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, +# the default is "0". +# +# no puppet parameter yet +#vnc_tls_x509_verify = 1 + + +# The default VNC password. Only 8 bytes are significant for +# VNC passwords. This parameter is only used if the per-domain +# XML config does not already provide a password. To allow +# access without passwords, leave this commented out. An empty +# string will still enable passwords, but be rejected by QEMU, +# effectively preventing any use of VNC. Obviously change this +# example here before you set this. +# +# no puppet parameter yet +#vnc_password = "XYZ12345" + + +# Enable use of SASL encryption on the VNC server. This requires +# a VNC client which supports the SASL protocol extension. +# Examples include vinagre, virt-viewer and virt-manager +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +<% if @qemu_vnc_sasl == true -%> +vnc_sasl = 1 +<% elsif @qemu_vnc_sasl == false -%> +vnc_sasl = 0 +<% end -%> + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +# no puppet parameter yet +#vnc_sasl_dir = "/some/directory/sasl2" + + +# QEMU implements an extension for providing audio over a VNC connection, +# though if your VNC client does not support it, your only chance for getting +# sound output is through regular audio backends. By default, libvirt will +# disable all QEMU sound backends if using VNC, since they can cause +# permissions issues. Enabling this option will make libvirtd honor the +# QEMU_AUDIO_DRV environment variable when using VNC. +# +# no puppet parameter yet +#vnc_allow_host_audio = 0 + + + +# SPICE is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +# no puppet parameter yet - spice not supported +#spice_listen = "0.0.0.0" + + +# Enable use of TLS encryption on the SPICE server. +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +# no puppet parameter yet +#spice_tls = 1 + + +# In order to override the default TLS certificate location for +# spice certificates, supply a valid path to the certificate directory. +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but spice_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +#no puppet parameter yet +#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" + + +# Enable this option to have SPICE served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine. +# +# This will only be enabled for SPICE configurations that have listen +# type=address but without any address specified. This setting takes +# preference over spice_listen. +# +# no puppet parameter yet +#spice_auto_unix_socket = 1 + + +# The default SPICE password. This parameter is only used if the +# per-domain XML config does not already provide a password. To +# allow access without passwords, leave this commented out. An +# empty string will still enable passwords, but be rejected by +# QEMU, effectively preventing any use of SPICE. Obviously change +# this example here before you set this. +# +# no puppet parameter yet +#spice_password = "XYZ12345" + + +# Enable use of SASL encryption on the SPICE server. This requires +# a SPICE client which supports the SASL protocol extension. +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +# no puppet parameter yet +#spice_sasl = 1 + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +# no puppet parameter yet +#spice_sasl_dir = "/some/directory/sasl2" + +# Enable use of TLS encryption on the chardev TCP transports. +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#no puppet paramweter yet +#chardev_tls = 1 + + +# In order to override the default TLS certificate location for character +# device TCP certificates, supply a valid path to the certificate directory. +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but chardev_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +# no puppet parameter yet +#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# certificate (as described in default_tls_x509_verify) signed by the +# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir). +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, +# the default is "1". +# +# no puppet parameter yet +#chardev_tls_x509_verify = 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +# no puppet parameter yet +#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# Enable use of TLS encryption for all VxHS network block devices that +# don't specifically disable. +# +# When the VxHS network block device server is set up appropriately, +# x509 certificates are required for authentication between the clients +# (qemu processes) and the remote VxHS server. +# +# It is necessary to setup CA and issue the client certificate before +# enabling this. +# +# no puppet parameter yet +#vxhs_tls = 1 + + +# In order to override the default TLS certificate location for VxHS +# backed storage, supply a valid path to the certificate directory. +# This is used to authenticate the VxHS block device clients to the VxHS +# server. +# +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but vxhs_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +# VxHS block device clients expect the client certificate and key to be +# present in the certificate directory along with the CA master certificate. +# If using the default environment, default_tls_x509_verify must be configured. +# Since this is only a client the server-key.pem certificate is not needed. +# Thus a VxHS directory must contain the following: +# +# ca-cert.pem - the CA master certificate +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +# no puppet parameter yet +#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +# no puppet parameter yet +#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# Enable use of TLS encryption for all NBD disk devices that don't +# specifically disable it. +# +# When the NBD server is set up appropriately, x509 certificates are required +# for authentication between the client and the remote NBD server. +# +# It is necessary to setup CA and issue the client certificate before +# enabling this. +# +# no puppet parameter yet +#nbd_tls = 1 + + +# In order to override the default TLS certificate location for NBD +# backed storage, supply a valid path to the certificate directory. +# This is used to authenticate the NBD block device clients to the NBD +# server. +# +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but nbd_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +# NBD block device clients expect the client certificate and key to be +# present in the certificate directory along with the CA certificate. +# Since this is only a client the server-key.pem certificate is not needed. +# Thus a NBD directory must contain the following: +# +# ca-cert.pem - the CA master certificate +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +# no puppet parameter yet +#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd" + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +# no puppet parameter yet +#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist, libvirtd will fail to start. If the path is +# not provided, but TLS-encrypted migration is requested, then the +# default_tls_x509_cert_dir path will be used. Once/if a default certificate is +# enabled/defined, migration will then be able to use the certificate via +# migration API flags. +# +# no puppet parameter yet +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# certificate (as described in default_tls_x509_verify) signed by the +# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir). +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied +# either, the default is "1". +# +# no puppet parameter yet +#migrate_tls_x509_verify = 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +# no puppet parameter yet +#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested +# automatically. Setting 'migate_tls_force' to "1" will prevent any migration +# which is not using VIR_MIGRATE_TLS to ensure higher level of security in +# deployments with TLS. +# +# no puppet parameter yet +#migrate_tls_force = 0 + + +# In order to override the default TLS certificate location for backup NBD +# server certificates, supply a valid path to the certificate directory. If the +# provided path does not exist, libvirtd will fail to start. If the path is +# not provided, but TLS-encrypted backup is requested, then the +# default_tls_x509_cert_dir path will be used. +# +# no puppet parameter yet +#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# certificate (as described in default_tls_x509_verify) signed by the +# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir). +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, +# the default is "1". +# +# no puppet parameter yet +#backup_tls_x509_verify = 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +# no puppet parameter yet +#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# By default, if no graphical front end is configured, libvirt will disable +# QEMU audio output since directly talking to alsa/pulseaudio may not work +# with various security settings. If you know what you're doing, enable +# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV +# environment variable when using nographics. +# +# no puppet parameter yet +#nographics_allow_host_audio = 1 + + +# Override the port for creating both VNC and SPICE sessions (min). +# This defaults to 5900 and increases for consecutive sessions +# or when ports are occupied, until it hits the maximum. +# +# Minimum must be greater than or equal to 5900 as lower number would +# result into negative vnc display number. +# +# Maximum must be less than 65536, because higher numbers do not make +# sense as a port number. +# +# no puppet parameters yet +#remote_display_port_min = 5900 +#remote_display_port_max = 65535 + +# VNC WebSocket port policies, same rules apply as with remote display +# ports. VNC WebSockets use similar display <-> port mappings, with +# the exception being that ports start from 5700 instead of 5900. +# +# no puppet parameters yet +#remote_websocket_port_min = 5700 +#remote_websocket_port_max = 65535 + +# The default security driver is SELinux. If SELinux is disabled +# on the host, then the security driver will automatically disable +# itself. If you wish to disable QEMU SELinux security driver while +# leaving SELinux enabled for the host in general, then set this +# to 'none' instead. It's also possible to use more than one security +# driver at the same time, for this use a list of names separated by +# comma and delimited by square brackets. For example: +# +# security_driver = [ "selinux", "apparmor" ] +# +# Notes: The DAC security driver is always enabled; as a result, the +# value of security_driver cannot contain "dac". The value "none" is +# a special value; security_driver can be set to that value in +# isolation, but it cannot appear in a list of drivers. +# +# no puppet parameter yet +#security_driver = "selinux" + +# If set to non-zero, then the default security labeling +# will make guests confined. If set to zero, then guests +# will be unconfined by default. Defaults to 1. +#security_default_confined = 1 + +# If set to non-zero, then attempts to create unconfined +# guests will be blocked. Defaults to 0. +# no puppet parameter yet +#security_require_confined = 1 + +# The user for QEMU processes run by the system instance. It can be +# specified as a user name or as a user id. The qemu driver will try to +# parse this value first as a name and then, if the name doesn't exist, +# as a user id. +# +# Since a sequence of digits is a valid user name, a leading plus sign +# can be used to ensure that a user id will not be interpreted as a user +# name. +# +# Some examples of valid values are: +# +# user = "qemu" # A user named "qemu" +# user = "+0" # Super user (uid=0) +# user = "100" # A user named "100" or a user with uid=100 +# +# plan to move this to OS/version specific defaults for security updates in puppet currently an optional parameter +# falling back to defaults if not set +#user = "qemu" +<% if @qemu_user -%> +user = "<%= @qemu_user %>" +<% end -%> + +# The group for QEMU processes run by the system instance. It can be +# specified in a similar way to user. +# plan to move this to OS/version specific defaults for security updates in puppet currently an optional parameter +# falling back to defaults if not set +#group = "qemu" +<% if @qemu_group -%> +group = "<%= @qemu_group %>" +<% end -%> + +# Whether libvirt should dynamically change file ownership +# to match the configured user/group above. Defaults to 1. +# Set to 0 to disable file ownership changes. +# no puppet parameter yet +#dynamic_ownership = 1 + +# Whether libvirt should remember and restore the original +# ownership over files it is relabeling. Defaults to 1, set +# to 0 to disable the feature. +# no puppet parameter yet +#remember_owner = 1 + +# What cgroup controllers to make use of with QEMU guests +# +# - 'cpu' - use for scheduler tunables +# - 'devices' - use for device access control +# - 'memory' - use for memory tunables +# - 'blkio' - use for block devices I/O tunables +# - 'cpuset' - use for CPUs and memory nodes +# - 'cpuacct' - use for CPUs statistics. +# +# NB, even if configured here, they won't be used unless +# the administrator has mounted cgroups, e.g.: +# +# mkdir /dev/cgroup +# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup +# +# They can be mounted anywhere, and different controllers +# can be mounted in different locations. libvirt will detect +# where they are located. +# +# no puppet parameter yet +#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + +# This is the basic set of devices allowed / required by +# all virtual machines. +# +# As well as this, any configured block backed disks, +# all sound device, and all PTY devices are allowed. +# +# This will only need setting if newer QEMU suddenly +# wants some device we don't already know about. +# +# no puppet parameter yet +#cgroup_device_acl = [ +# "/dev/null", "/dev/full", "/dev/zero", +# "/dev/random", "/dev/urandom", +# "/dev/ptmx", "/dev/kvm", +# "/dev/userfaultfd" +#] +# +# RDMA migration requires the following extra files to be added to the list: +# "/dev/infiniband/rdma_cm", +# "/dev/infiniband/issm0", +# "/dev/infiniband/issm1", +# "/dev/infiniband/umad0", +# "/dev/infiniband/umad1", +# "/dev/infiniband/uverbs0" + + +# The libvirt QEMU driver supports serveral different save image formats. +# The term "format" is used loosely to describe how the save image data is +# represented on disk. It could be a continguous stream of guest memory blocks, +# or a stream of compressed memory blocks. +# +# A continguous stream of guest memory blocks is the default format for QEMU/KVM +# guest save images and is termed "raw". The raw format can consume considerable +# disk space when saving large memory guests. Various compression formats are +# available for specifying a save image compressed by the named algorithm. +# Supported compression formats are "zstd", "lzop", "gzip", "bzip2", and "xz". + +# save_image_format can be used to select the desired save format. "raw" is +# the traditional format used by libvirt and is also the default. The +# compression formats can be used to save disk space, although this typically +# results in longer save and restore times. +# +# save_image_format is used with 'virsh save' or 'virsh managedsave'. It is +# an error if the specified save_image_format is not valid, or cannot be +# supported by the system. +# +# dump_image_format is analogous to save_image_format and is used with +# 'virsh dump' at emergency crashdump. If the specified dump_image_format is +# not valid or cannot be supported by the system, this falls back to the +# "raw" format. +# +# Likewise, snapshot_image_format specifies the format of the memory save +# image when an external snapshot of a domain is taken. This does not apply +# on disk image format. It is an error if the specified format isn't valid, +# or the system cannot support the requested format. +# +# no puppet parameters yet +#save_image_format = "raw" +#dump_image_format = "raw" +#snapshot_image_format = "raw" + +# When a domain is configured to be auto-dumped when libvirtd receives a +# watchdog event from qemu guest, libvirtd will save dump files in directory +# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump +# +# no puppet parameter yet +#auto_dump_path = "/var/lib/libvirt/qemu/dump" + +# When a domain is configured to be auto-dumped, enabling this flag +# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the +# virDomainCoreDump API. That is, the system will avoid using the +# file system cache while writing the dump file, but may cause +# slower operation. +# +# no puppet parameter yet +#auto_dump_bypass_cache = 0 + +# When a domain is configured to be auto-started, enabling this flag +# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag +# with the virDomainCreateWithFlags API. That is, the system will +# avoid using the file system cache when restoring any managed state +# file, but may cause slower operation. +# +# no puppet parameter yet +#auto_start_bypass_cache = 0 + +# If provided by the host and a hugetlbfs mount point is configured, +# a guest may request huge page backing. When this mount point is +# unspecified here, determination of a host mount point in /proc/mounts +# will be attempted. Specifying an explicit mount overrides detection +# of the same in /proc/mounts. Setting the mount point to "" will +# disable guest hugepage backing. If desired, multiple mount points can +# be specified at once, separated by comma and enclosed in square +# brackets, for example: +# +# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] +# +# The size of huge page served by specific mount point is determined by +# libvirt at the daemon startup. +# +# NB, within these mount points, guests will create memory backing +# files in a location of $MOUNTPOINT/libvirt/qemu +# +# no puppet parameter yet +#hugetlbfs_mount = "/dev/hugepages" + + +# Path to the setuid helper for creating tap devices. This executable +# is used to create interfaces when libvirtd is +# running unprivileged. libvirt invokes the helper directly, instead +# of using "-netdev bridge", for security reasons. +# If this is not an absolute path, the program will be searched for +# in $PATH as well as a few additional directories. +# no puppet parameter yet +#bridge_helper = "qemu-bridge-helper" + + +# If enabled, libvirt will have QEMU set its process name to +# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU +# process will appear as "qemu:VM_NAME" in process listings and +# other system monitoring tools. By default, QEMU does not set +# its process title, so the complete QEMU command (emulator and +# its arguments) appear in process listings. +# +<% if @qemu_set_process_name == true -%> +set_process_name = 1 +<% elsif @qemu_set_process_name == false -%> +set_process_name = 0 +<% end -%> + + +# If max_processes is set to a positive integer, libvirt will use +# it to set the maximum number of processes that can be run by qemu +# user. This can be used to override default value set by host OS. +# The same applies to max_files which sets the limit on the maximum +# number of opened files. +# +# no puppet parameter yet +#max_processes = 0 +#max_files = 0 + +# If max_threads_per_process is set to a positive integer, libvirt +# will use it to set the maximum number of threads that can be +# created by a qemu process. Some VM configurations can result in +# qemu processes with tens of thousands of threads. systemd-based +# systems typically limit the number of threads per process to +# 16k. max_threads_per_process can be used to override default +# limits in the host OS. +# +# no puppet parameter yet +#max_threads_per_process = 0 + +# If max_core is set to a non-zero integer, then QEMU will be +# permitted to create core dumps when it crashes, provided its +# RAM size is smaller than the limit set. +# +# Be warned that the core dump will include a full copy of the +# guest RAM, if the 'dump_guest_core' setting has been enabled, +# or if the guest XML contains +# +# ...guest ram... +# +# If guest RAM is to be included, ensure the max_core limit +# is set to at least the size of the largest expected guest +# plus another 1GB for any QEMU host side memory mappings. +# +# As a special case it can be set to the string "unlimited" to +# to allow arbitrarily sized core dumps. +# +# By default the core dump size is set to 0 disabling all dumps +# +# Size is a positive integer specifying bytes or the +# string "unlimited" +# +# no puppet parameter yet +#max_core = "unlimited" + +# Determine if guest RAM is included in QEMU core dumps. By +# default guest RAM will be excluded if a new enough QEMU is +# present and host kernel supports it. Setting this to '1' will +# force guest RAM to always be included in QEMU core dumps. +# +# This setting will be ignored if the guest XML has set the +# dumpCore attribute on the element. +# +# no puppet parameter yet +#dump_guest_core = 1 + +# mac_filter enables MAC addressed based filtering on bridge ports. +# This currently requires ebtables to be installed. +# +# no puppet parameter yet +#mac_filter = 1 + + +# By default, PCI devices below non-ACS switch are not allowed to be assigned +# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to +# be assigned to guests. +# +# no puppet parameter yet +#relaxed_acs_check = 1 + + +# In order to prevent accidentally starting two domains that +# share one writable disk, libvirt offers two approaches for +# locking files. The first one is sanlock, the other one, +# virtlockd, is then our own implementation. Accepted values +# are "sanlock" and "lockd". +# +# no puppet parameter yet +#lock_manager = "lockd" + + +# Set limit of maximum APIs queued on one domain. All other APIs +# over this threshold will fail on acquiring job lock. Specially, +# setting to zero turns this feature off. +# Note, that job lock is per domain. +# +# no puppet parameter yet +#max_queued = 0 + +################################################################### +# Keepalive protocol: +# This allows qemu driver to detect broken connections to remote +# libvirtd during peer-to-peer migration. A keepalive message is +# sent to the daemon after keepalive_interval seconds of inactivity +# to check if the daemon is still responding; keepalive_count is a +# maximum number of keepalive messages that are allowed to be sent +# to the daemon without getting any response before the connection +# is considered broken. In other words, the connection is +# automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the daemon. If keepalive_interval is set to +# -1, qemu driver will not send keepalive requests during +# peer-to-peer migration; however, the remote libvirtd can still +# send them and source libvirtd will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +# no puppet parameter yet +#keepalive_interval = 5 +#keepalive_count = 5 + + + +# Use seccomp syscall filtering sandbox in QEMU. +# 1 == filter enabled, 0 == filter disabled +# +# Unless this option is disabled, QEMU will be run with +# a seccomp filter that stops it from executing certain +# syscalls. +# +# no puppet parameter yet +#seccomp_sandbox = 1 + + +# Override the listen address for all incoming migrations. Defaults to +# 0.0.0.0, or :: if both host and qemu are capable of IPv6. +# no puppet parameter yet +#migration_address = "0.0.0.0" + + +# The default hostname or IP address which will be used by a migration +# source for transferring migration data to this host. The migration +# source has to be able to resolve this hostname and connect to it so +# setting "localhost" will not work. By default, the host's configured +# hostname is used. +# no puppet parameter yet +#migration_host = "host.example.com" + + +# Override the port range used for incoming migrations. +# +# Minimum must be greater than 0, however when QEMU is not running as root, +# setting the minimum to be lower than 1024 will not work. +# +# Maximum must not be greater than 65535. +# +# no puppet parameter yet +#migration_port_min = 49152 +#migration_port_max = 49215 + + + +# Timestamp QEMU's log messages (if QEMU supports it) +# +# Defaults to 1. +# +# no puppet parameter yet +#log_timestamp = 0 + + +################################################################# +# no more puppet based parmaeters beyond this point +# ############################################################### + +# Location of master nvram file +# +# This configuration option is obsolete. Libvirt will follow the +# QEMU firmware metadata specification to automatically locate +# firmware images. See docs/interop/firmware.json in the QEMU +# source tree. These metadata files are distributed alongside any +# firmware images intended for use with QEMU. +# +# NOTE: if ANY firmware metadata files are detected, this setting +# will be COMPLETELY IGNORED. +# +# ------------------------------------------ +# +# When a domain is configured to use UEFI instead of standard +# BIOS it may use a separate storage for UEFI variables. If +# that's the case libvirt creates the variable store per domain +# using this master file as image. Each UEFI firmware can, +# however, have different variables store. Therefore the nvram is +# a list of strings when a single item is in form of: +# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. +# Later, when libvirt creates per domain variable store, this list is +# searched for the master image. The UEFI firmware can be called +# differently for different guest architectures. For instance, it's OVMF +# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default +# follows this scheme. +#nvram = [ +# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", +# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", +# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", +# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" +#] + +# The backend to use for handling stdout/stderr output from +# QEMU processes. +# +# 'file': QEMU writes directly to a plain file. This is the +# historical default, but allows QEMU to inflict a +# denial of service attack on the host by exhausting +# filesystem space +# +# 'logd': QEMU writes to a pipe provided by virtlogd daemon. +# This is the current default, providing protection +# against denial of service by performing log file +# rollover when a size limit is hit. +# +#stdio_handler = "logd" + +# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the +# most verbose, and 0 representing no debugging output. +# +# The current logging levels defined in the gluster GFAPI are: +# +# 0 - None +# 1 - Emergency +# 2 - Alert +# 3 - Critical +# 4 - Error +# 5 - Warning +# 6 - Notice +# 7 - Info +# 8 - Debug +# 9 - Trace +# +# Defaults to 4 +# +#gluster_debug_level = 9 + +# virtiofsd debug +# +# Whether to enable the debugging output of the virtiofsd daemon. +# Possible values are 0 or 1. Disabled by default. +# +#virtiofsd_debug = 1 + +# To enhance security, QEMU driver is capable of creating private namespaces +# for each domain started. Well, so far only "mount" namespace is supported. If +# enabled it means qemu process is unable to see all the devices on the system, +# only those configured for the domain in question. Libvirt then manages +# devices entries throughout the domain lifetime. This namespace is turned on +# by default. +#namespaces = [ "mount" ] + +# This directory is used for memoryBacking source if configured as file. +# NOTE: big files will be stored here +#memory_backing_dir = "/var/lib/libvirt/qemu/ram" + +# Path to the SCSI persistent reservations helper. This helper is +# used whenever are enabled for SCSI LUN devices. +# If this is not an absolute path, the program will be searched for +# in $PATH as well as a few additional directories. +#pr_helper = "qemu-pr-helper" + +# Path to the SLIRP networking helper. +#slirp_helper = "/usr/bin/slirp-helper" + +# Path to the dbus-daemon +# If this is not an absolute path, the program will be searched for +# in $PATH. +#dbus_daemon = "dbus-daemon" + +# User for the swtpm TPM Emulator +# +# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs +# and uses; alternative is 'root' +# +#swtpm_user = "tss" +#swtpm_group = "tss" + +# For debugging and testing purposes it's sometimes useful to be able to disable +# libvirt behaviour based on the capabilities of the qemu process. This option +# allows to do so. DO _NOT_ use in production and beaware that the behaviour +# may change across versions. +# +#capability_filters = [ "capname" ] + +# 'deprecation_behavior' setting controls how the qemu process behaves towards +# deprecated commands and arguments used by libvirt. +# +# This setting is meant for developers and CI efforts to make it obvious when +# libvirt relies on fields which are deprecated so that it can be fixes as soon +# as possible. +# +# Possible options are: +# "none" - (default) qemu is supposed to accept and output deprecated fields +# and commands +# "omit" - qemu is instructed to omit deprecated fields on output, behaviour +# towards fields and commands from qemu is not changed +# "reject" - qemu is instructed to report an error if a deprecated command or +# field is used by libvirtd +# "crash" - qemu crashes when an deprecated command or field is used by libvirtd +# +# For both "reject" and "crash" qemu is instructed to omit any deprecated fields +# on output. +# +# The "reject" option is less harsh towards the VMs but some code paths ignore +# errors reported by qemu and thus it may not be obvious that a deprecated +# command/field was used, thus it's suggested to use the "crash" option instead. +# +# In cases when qemu doesn't support configuring the behaviour this setting is +# silently ignored to allow testing older qemu versions without having to +# reconfigure libvirtd. +# +# DO NOT use in production. +# +#deprecation_behavior = "none" + +# If this is set then QEMU and its threads will run in a separate scheduling +# group meaning no other process will share Hyper Threads of a single core with +# QEMU. Each QEMU has its own group. +# +# Possible options are: +# "none" - (default) neither QEMU or any of its helper processes are placed +# into separate scheduling group +# "vcpus" - only QEMU vCPU threads are placed into a separate scheduling group, +# emulator threads and helper processes remain outside of the group +# "emulator" - only QEMU and its threads (emulator + vCPUs) are placed into +# separate scheduling group, helper processes remain outside of +# the group +# "full" - both QEMU and its helper processes are placed into separate +# scheduling group +#sched_core = "none" + +# Using nbdkit to access remote disk sources +# +# If this is set then libvirt will use nbdkit to access remote disk sources +# when available. nbdkit will export an NBD share to QEMU rather than having +# QEMU attempt to access the remote server directly. +# +# Possible values are 0 or 1. Default value is 0. Please +# note that the default might change in future releases. +# +#storage_use_nbdkit = 0 + +# libvirt will normally prevent migration if the storage backing the VM is not +# on a shared filesystems. Sometimes, however, the storage *is* shared despite +# not being detected as such: for example, this is the case when one of the +# hosts involved in the migration is exporting its local storage to the other +# one via NFS. +# +# Any directory listed here will be assumed to live on a shared filesystem, +# making migration possible in scenarios such as the one described above. It's +# the system's administrator responsibility to ensure that other hosts can +# access this directory. +# +# This option is not symmetrical and should only be used on hosts where the +# storage is being exported from. It must not be used on hosts accessing the +# storage via a remote protocol. +# +# NOTE: this option is intended to help in very specific scenarios that are +# rarely encountered. If you find yourself reaching for this option, consider +# reworking your environment so that it follows a more common architecture +# rather than using it. +# +#shared_filesystems = [ +# "/path/to/images", +# "/path/to/nvram", +# "/path/to/swtpm" +#] From dc46e26f4bc3ab48a5b16d042d8dfe2edce52ce6 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 08:37:37 +0100 Subject: [PATCH 22/36] set vnc_listen_address to default for RHEL, Deb --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 98ea00a..fdd336f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -51,7 +51,7 @@ $unix_sock_dir = '/run/libvirt', $access_drivers = 'no-op', # qemu.conf options - $qemu_vnc_listen = undef, + $qemu_vnc_listen = '127.0.0.1', $qemu_vnc_sasl = undef, $qemu_vnc_tls = undef, $qemu_set_process_name = undef, From d0378f4113972e1e3e8b6541f6fd5a51fcae9372 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 10:27:20 +0100 Subject: [PATCH 23/36] create virtproxyd.conf erb for EL9 and later --- templates/virtproxyd.conf.erb | 550 ++++++++++++++++++++++++++++++++++ 1 file changed, 550 insertions(+) create mode 100644 templates/virtproxyd.conf.erb diff --git a/templates/virtproxyd.conf.erb b/templates/virtproxyd.conf.erb new file mode 100644 index 0000000..0f873c6 --- /dev/null +++ b/templates/virtproxyd.conf.erb @@ -0,0 +1,550 @@ +# This file is managed by puppet - changes will be overwritten +# Master libvirt proxy daemon configuration file +# + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# +# To enable listening sockets with the 'libvirtd' daemon it's also required to +# pass the '--listen' flag on the commandline of the daemon. +# This is not needed with 'virtproxyd'. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, +<% if @listen_tls == true -%> +listen_tls = 1 +<% elsif @listen_tls == false -%> +listen_tls = 0 +<% end -%> +# Listen for unencrypted TCP connections on the public TCP/IP port. +# +# To enable listening sockets with the 'libvirtd' daemon it's also required to +# pass the '--listen' flag on the commandline of the daemon. +# This is not needed with 'virtproxyd'. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default. +<% if @listen_tcp == true -%> +listen_tcp = 1 +<% elsif @listen_tcp == false -%> +listen_tcp = 0 +<% end -%> + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +# This setting is not required or honoured if using systemd socket +# activation. +# +<% if @tls_port -%> +tls_port = "<%= @tls_port %>" +<% end -%> + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +# This setting is not required or honoured if using systemd socket +# activation. +# +<% if @tcp_port -%> +tcp_port = "<%= @tcp_port %>" +<% end -%> + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# If the virtproxyd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# +<% if @listen_addr -%> +listen_addr = "<%= @listen_addr %>" +<% else -%> +#listen_addr = "192.168.0.1" +<% end -%> + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +#auth_unix_ro = "polkit" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +#auth_unix_rw = "polkit" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + +# Enforce a minimum SSF value for TCP sockets +# +# The default minimum is currently 56 (single-DES) which will +# be raised to 112 in the future. +# +# This option can be used to set values higher than 112 +#tcp_min_ssf = 112 + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtproxyd +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# TLS x509 certificate configuration +# + +# Use of TLS requires that x509 certificates be issued. The default locations +# for the certificate files is as follows: +# +# /etc/pki/CA/cacert.pem - The CA master certificate +# /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem +# /etc/pki/libvirt/private/serverkey.pem - The server private key +# +# It is possible to override the default locations by altering the 'key_file', +# 'cert_file', and 'ca_file' values and uncommenting them below. +# +# NB, overriding the default of one location requires uncommenting and +# possibly additionally overriding the other settings. +# + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When virtproxyd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification. +#tls_no_verify_certificate = 1 + + +# An access control list of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# Any * matches any number of consecutive spaces, like a simplified glob(7). +# +# The format of the DN for a particular certificate can be queried +# using: +# +# virt-pki-query-dn clientcert.pem +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# Override the compile time default TLS priority string. The +# default is usually "NORMAL" unless overridden at build time. +# Only set this is it is desired for libvirt to deviate from +# the global default settings. +# +#tls_priority="NORMAL" + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtproxyd ident: +#log_outputs="3:syslog:virtproxyd" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtproxyd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtproxyd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From ae2c4bd5925ff0db82ad5383d27c01bfababeb66 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 10:42:33 +0100 Subject: [PATCH 24/36] include auth options in libvirtproyd erb --- templates/virtproxyd.conf.erb | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/templates/virtproxyd.conf.erb b/templates/virtproxyd.conf.erb index 0f873c6..a1bac66 100644 --- a/templates/virtproxyd.conf.erb +++ b/templates/virtproxyd.conf.erb @@ -178,8 +178,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # # To restrict monitoring of domains you may wish to either # enable 'sasl' here, or change the polkit policy definition. -#auth_unix_ro = "polkit" - +auth_unix_ro = "<%= @auth_unix_ro %>" # Set an authentication scheme for UNIX read-write sockets. # # If libvirt was compiled without support for 'polkit', then @@ -194,7 +193,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # is essential to change the systemd SocketMode parameter # back to 0600, to avoid an insecure configuration. # -#auth_unix_rw = "polkit" +auth_unix_rw = "<%= @auth_unix_rw %>" # Change the authentication scheme for TCP sockets. # @@ -202,7 +201,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # Don't do this outside of a dev/test scenario. For real world # use, always enable SASL and use the GSSAPI or DIGEST-MD5 # mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" +auth_tcp = "<%= @auth_tcp %>" # Change the authentication scheme for TLS sockets. # @@ -211,7 +210,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option -#auth_tls = "none" +auth_tls = "<%= @auth_tls %>" # Enforce a minimum SSF value for TCP sockets # @@ -219,7 +218,8 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # be raised to 112 in the future. # # This option can be used to set values higher than 112 -#tcp_min_ssf = 112 +tcp_min_ssf = <%= @tcp_min_ssf %> + # Change the API access control scheme @@ -230,8 +230,12 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # meaning no access control checks are done once a # client has authenticated with virtproxyd # -#access_drivers = [ "polkit" ] +# target should be set to polkit +access_drivers = [ "<%= @access_drivers %>" ] + +# No puppet parameters are available from here - future releases target +# ################################################################# # # TLS x509 certificate configuration From 927ccdd40055cabb39a4e700c60d91fb7cd59f6b Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 10:49:52 +0100 Subject: [PATCH 25/36] new param enable_libvirt_proxy for EL9+ --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index fdd336f..a6cf6e7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -50,6 +50,7 @@ $tcp_min_ssf = '112', $unix_sock_dir = '/run/libvirt', $access_drivers = 'no-op', + $enable_libirtproxy = false, # qemu.conf options $qemu_vnc_listen = '127.0.0.1', $qemu_vnc_sasl = undef, From 1a2b6812a4dd5f812d563954cc51ee2faf3e0ce6 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 10:54:41 +0100 Subject: [PATCH 26/36] create libvirtqemud.conf erb for EL9+ --- templates/virtqemud.conf.erb | 362 +++++++++++++++++++++++++++++++++++ 1 file changed, 362 insertions(+) create mode 100644 templates/virtqemud.conf.erb diff --git a/templates/virtqemud.conf.erb b/templates/virtqemud.conf.erb new file mode 100644 index 0000000..7847e0c --- /dev/null +++ b/templates/virtqemud.conf.erb @@ -0,0 +1,362 @@ +# This file is managed by puppet - changes will be overwritten + +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +#auth_unix_ro = "polkit" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +#auth_unix_rw = "polkit" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtqemud +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtqemud ident: +#log_outputs="3:syslog:virtqemud" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtqemud to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtqemud will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From d3e3e8d55eb7b33c1628b6c2a896882d2f21f00f Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 10:57:14 +0100 Subject: [PATCH 27/36] add auth params to virtqemud erb --- templates/virtqemud.conf.erb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/templates/virtqemud.conf.erb b/templates/virtqemud.conf.erb index 7847e0c..5b4dd1b 100644 --- a/templates/virtqemud.conf.erb +++ b/templates/virtqemud.conf.erb @@ -100,7 +100,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # # To restrict monitoring of domains you may wish to either # enable 'sasl' here, or change the polkit policy definition. -#auth_unix_ro = "polkit" +auth_unix_ro = "<%= @auth_unix_ro %>" # Set an authentication scheme for UNIX read-write sockets. # @@ -116,8 +116,7 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # is essential to change the systemd SocketMode parameter # back to 0600, to avoid an insecure configuration. # -#auth_unix_rw = "polkit" - +auth_unix_rw = "<%= @auth_unix_rw %>" # Change the API access control scheme # @@ -127,8 +126,10 @@ unix_sock_dir = "<%= @unix_sock_dir %>" # meaning no access control checks are done once a # client has authenticated with virtqemud # -#access_drivers = [ "polkit" ] +access_drivers = [ "<%= @access_drivers %>" ] + +# no puppet parameters are beyond this line - future releases will enable ################################################################# # # Authorization controls From 95e9e218713a6f43fe7ebc00626985506ada4894 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:18:52 +0100 Subject: [PATCH 28/36] create virtnetworkd.conf erb template for EL9+ --- templates/virtnetworkd.conf.erb | 359 ++++++++++++++++++++++++++++++++ 1 file changed, 359 insertions(+) create mode 100644 templates/virtnetworkd.conf.erb diff --git a/templates/virtnetworkd.conf.erb b/templates/virtnetworkd.conf.erb new file mode 100644 index 0000000..e3e55c3 --- /dev/null +++ b/templates/virtnetworkd.conf.erb @@ -0,0 +1,359 @@ +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +auth_unix_ro = "<%= @auth_unix_ro %>" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +auth_unix_rw = "<%= @auth_unix_rw %>" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtnetworkd +# +access_drivers = [ "<%= @access_drivers %>" ] + +# no puppet parameters are defined beyond this point - future releases will grow +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtnetworkd ident: +#log_outputs="3:syslog:virtnetworkd" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtnetworkd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtnetworkd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From b34fef635488664fe6077543bdbea2992d38fbeb Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:22:43 +0100 Subject: [PATCH 29/36] create virtstoraged.conf erb for EL9+ --- templates/virtstoraged.conf.erb | 361 ++++++++++++++++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 templates/virtstoraged.conf.erb diff --git a/templates/virtstoraged.conf.erb b/templates/virtstoraged.conf.erb new file mode 100644 index 0000000..9f82b61 --- /dev/null +++ b/templates/virtstoraged.conf.erb @@ -0,0 +1,361 @@ +# This file is managed by puppet - changes will be overwritten + +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +auth_unix_ro = "<%= @auth_unix_ro %>" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +auth_unix_rw = "<%= @auth_unix_rw %>" + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtstoraged +# +access_drivers = [ "<%= @access_drivers %>" ] + +# no puppet parameters beyond this point, future releases will grow scope +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtstoraged ident: +#log_outputs="3:syslog:virtstoraged" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtstoraged to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtstoraged will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From fad9e7d4ca2a5a16b1f7c249055ed0e47d516a8f Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:26:54 +0100 Subject: [PATCH 30/36] create virtinterfaced.conf erb for EL9+ --- templates/virtinterfaced.conf.erb | 364 ++++++++++++++++++++++++++++++ 1 file changed, 364 insertions(+) create mode 100644 templates/virtinterfaced.conf.erb diff --git a/templates/virtinterfaced.conf.erb b/templates/virtinterfaced.conf.erb new file mode 100644 index 0000000..105f908 --- /dev/null +++ b/templates/virtinterfaced.conf.erb @@ -0,0 +1,364 @@ +# This file is managed by puppet - changes will be overwritten +# + +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +auth_unix_ro = "<%= @auth_unix_ro %>" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +auth_unix_rw = "<%= @auth_unix_rw %>" + + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtinterfaced +# +access_drivers = [ "<%= @access_drivers %>" ] + +# no puppet parameters beyond this point, future releases will grow scope +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtinterfaced ident: +#log_outputs="3:syslog:virtinterfaced" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtinterfaced to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtinterfaced will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From bef55b7732c9b55fbb78270bf6b8b7008159db47 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:48:50 +0100 Subject: [PATCH 31/36] create virtlogd.conf erb for EL9+ --- templates/virtlogd.conf.erb | 120 ++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 templates/virtlogd.conf.erb diff --git a/templates/virtlogd.conf.erb b/templates/virtlogd.conf.erb new file mode 100644 index 0000000..6ffefd3 --- /dev/null +++ b/templates/virtlogd.conf.erb @@ -0,0 +1,120 @@ +# This file is managed by puppet - changes will be overwritten +# this file currently has no parameters as it's just being used for functional testing +# log confg parameters will be added once functionally working +# Master virtlogd daemon configuration file +# + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# For the virtlogd daemon, a typical need is to capture information +# from the logging code and some of the utility code. Some utility +# code is very verbose and is generally not desired. A suitable filter +# string for debugging might be to turn off object, json & event logging, +# but enable the rest of the util and the logging code: +# +#log_filters="1:logging 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtlogd ident: +#log_outputs="3:syslog:virtlogd" +# + +# The maximum number of concurrent client connections to allow +# on primary socket +#max_clients = 1024 + +# The maximum number of concurrent client connections to allow +# on administrative socket +#admin_max_clients = 5 + +# Maximum file size before rolling over. Defaults to 2 MB +# +# Setting max_size to zero will disable rollover entirely. +# NOTE: disabling rollover exposes the host filesystem to +# denial of service from a malicious guest. +# +# Beware that a logrotate config file might be installed too, +# to handle cases where virtlogd is disabled. To ensure that +# the logrotate config is a no-op when virtlogd is running, +# make sure that max_size here is smaller than size listed +# in the logrotate config. +#max_size = 2097152 + +# Maximum number of backup files to keep. Defaults to 3, +# not including the primary active file +#max_backups = 3 + +# Maximum age for log files to live after the last modification. +# Defaults to 0, which means "forever". +# +# WARNING: since virtlogd has no way to differentiate which files it used to +# manage, the garbage collection mechanism will collect ALL files, once its age +# reach max_age_days. Use only if you know what you mean. +#max_age_days = 0 + +# Root of all logs managed by virtlogd. Used to GC logs from obsolete machines. +# +# WARNING: all files under this location potentially can be GC-ed. See the +# warning for max_age_days. +#log_root = "/var/log/libvirt" From 2f3175485c0174bccb9c452f9cc6ac31db0799b1 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:52:35 +0100 Subject: [PATCH 32/36] create virtlockd.conf erb for EL9+ --- templates/virtlockd.conf.erb | 91 ++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 templates/virtlockd.conf.erb diff --git a/templates/virtlockd.conf.erb b/templates/virtlockd.conf.erb new file mode 100644 index 0000000..87eb73f --- /dev/null +++ b/templates/virtlockd.conf.erb @@ -0,0 +1,91 @@ +# # This file is managed by puppet - changes will be overwritten +# This file currently contains no parameters and is being used for functional testing +# Master virtlockd daemon configuration file +# + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# For the virtlockd daemon, a typical need is to capture information +# from the locking code and some of the utility code. Some utility +# code is very verbose and is generally not desired. A suitable filter +# string for debugging might be to turn off object, json & event logging, +# but enable the rest of the util and the locking code: +# +#log_filters="1:locking 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtlockd ident: +#log_outputs="3:syslog:virtlockd" +# + +# The maximum number of concurrent client connections to allow +# on primary socket +# Each running virtual machine will require one open connection +# to virtlockd. So 'max_clients' will affect how many VMs can +# be run on a host +#max_clients = 1024 + +# The maximum number of concurrent client connections to allow +# on administrative socket +#admin_max_clients = 5 From 410b7fd7abdfd050564c9e0cce33f42673a9bfc8 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:56:39 +0100 Subject: [PATCH 33/36] create virtnodedevd.conf erb for EL9+ --- templates/virtnodedevd.conf.erb | 364 ++++++++++++++++++++++++++++++++ 1 file changed, 364 insertions(+) create mode 100644 templates/virtnodedevd.conf.erb diff --git a/templates/virtnodedevd.conf.erb b/templates/virtnodedevd.conf.erb new file mode 100644 index 0000000..7590a7e --- /dev/null +++ b/templates/virtnodedevd.conf.erb @@ -0,0 +1,364 @@ +# This file is managed by puppet - changes will be overwritten +# +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +auth_unix_ro = "<%= @auth_unix_ro %>" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +auth_unix_rw = "<%= @auth_unix_rw %>" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtnodedevd +# +access_drivers = [ "<%= @access_drivers %>" ] + +# no puppet parameters exist beyond this point - future releases will grow scope +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtnodedevd ident: +#log_outputs="3:syslog:virtnodedevd" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtnodedevd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtnodedevd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From 8294bc45dcbd3374f22e67d0eeb722c9208a5162 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 11:58:48 +0100 Subject: [PATCH 34/36] add puppet managed header to file --- templates/virtnetworkd.conf.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/virtnetworkd.conf.erb b/templates/virtnetworkd.conf.erb index e3e55c3..d89fae8 100644 --- a/templates/virtnetworkd.conf.erb +++ b/templates/virtnetworkd.conf.erb @@ -1,3 +1,5 @@ +# This file is managed by puppet - changes will be overwritten +# # Master libvirt daemon configuration file # From 8995594598d6d5ef1b6f000d0a3aec5103ecdc0e Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 12:01:45 +0100 Subject: [PATCH 35/36] create virtnwfilterd.conf erb for EL9+ --- templates/virtnwfilterd.conf.erb | 364 +++++++++++++++++++++++++++++++ 1 file changed, 364 insertions(+) create mode 100644 templates/virtnwfilterd.conf.erb diff --git a/templates/virtnwfilterd.conf.erb b/templates/virtnwfilterd.conf.erb new file mode 100644 index 0000000..87bfac6 --- /dev/null +++ b/templates/virtnwfilterd.conf.erb @@ -0,0 +1,364 @@ +# This file is managed by puppet - changes will be overwritten +# +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +auth_unix_ro = "<%= @auth_unix_ro %>" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +auth_unix_rw = "<%= @auth_unix_rw %>" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtnwfilterd +# +access_drivers = [ "<%= @access_drivers %>" ] + + +# no puppet parameters beyond this point, future releases will widen scope +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtnwfilterd ident: +#log_outputs="3:syslog:virtnwfilterd" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtnwfilterd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtnwfilterd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 From 71b2c89686f957a586ab284d779c8a1108f72ba6 Mon Sep 17 00:00:00 2001 From: Matt Darcy Date: Wed, 13 Aug 2025 12:04:43 +0100 Subject: [PATCH 36/36] create virtsecretd.conf erb for EL9+ --- templates/virtsecretd.conf.erb | 361 +++++++++++++++++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 templates/virtsecretd.conf.erb diff --git a/templates/virtsecretd.conf.erb b/templates/virtsecretd.conf.erb new file mode 100644 index 0000000..9ca3b62 --- /dev/null +++ b/templates/virtsecretd.conf.erb @@ -0,0 +1,361 @@ +# This file is managed by puppet - changes will be overwritten + +# Master libvirt daemon configuration file +# + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# This is restricted to 'root' by default. +unix_sock_group = "<%= @unix_sock_group %>" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" + + +# Set the UNIX socket permissions for the admin interface socket. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation. +# +unix_sock_dir = "<%= @unix_sock_dir %>" + + + +################################################################# +# +# Authentication. +# +# There are the following choices available: +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# + +# Set an authentication scheme for UNIX read-only sockets +# +# By default socket permissions allow anyone to connect +# +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +auth_unix_ro = "<%= @auth_unix_ro %>" + +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=0666 which +# allows any user to connect and 'auth_unix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. +# +auth_unix_rw = "<%= @auth_unix_rw %>" + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with virtsecretd +# +access_drivers = [ "<%= @access_drivers %>" ] + +# no puppet parameters beyond this point, future releases will widen scope +################################################################# +# +# Authorization controls +# + + +# An access control list of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the g_pattern_match function for the format of the wildcards. +# +# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +# Setting this too low may cause keepalive timeouts. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +# +# WARNING: It outputs too much information to practically read. +# WARNING: The "log_filters" setting is recommended instead. +# +# WARNING: Journald applies rate limiting of messages and so libvirt +# WARNING: will limit "log_level" to only allow values 3 or 4 if +# WARNING: journald is the current output. +# +# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs. The format for a filter is: +# +# level:match +# +# where 'match' is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json". The 'match' in the +# filter matches using shell wildcard syntax (see 'man glob(7)'). +# The 'match' is always treated as a substring match. IOW a match +# string 'foo' is equivalent to '*foo*'. +# +# 'level' is the minimal level where matching messages should +# be logged: +# +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @log_filters, they just need +# to be separated by spaces. Note that libvirt performs "first" match, i.e. +# if there are concurrent filters, the first one that matches will be applied, +# given the order in @log_filters. +# +# A typical need is to capture information from a hypervisor driver, +# public API entrypoints and some of the utility code. Some utility +# code is very verbose and is generally not desired. Taking the QEMU +# hypervisor as an example, a suitable filter string for debugging +# might be to turn off object, json & event logging, but enable the +# rest of the util code: +# +#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# level:stderr +# output goes to stderr +# level:syslog:name +# use syslog for the output and use the given name as the ident +# level:file:file_path +# output to a file, with the given filepath +# level:journald +# output to journald logging system +# In all cases 'level' is the minimal priority, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtsecretd ident: +#log_outputs="3:syslog:virtsecretd" + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows virtsecretd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, virtsecretd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5